Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

From IE 8 to Google Chrome, Keep an Eye on Clickjacking

First Microsoft touts clickjacking protections in Internet Explorer 8, then a security researcher releases a proof of concept for a clickjacking attack targeting the Google Chrome Web browser. Clickjacking, some say, remains an issue that will require cooperation in the security community.

WEBINAR:On-Demand

The same week Microsoft announced on Jan. 26 it had put protections against clickjacking in Internet Explorer 8, security researcher Aditya Sood posted on BugTraq on Jan. 29 a new clickjacking advisory for the Google Chrome browser, with a link to a proof of concept.

Officials at Google said they are aware of the issue, which affects Chrome versions 1.0.154.43 and earlier. So far, Google says it has not seen any attempts to exploit this vulnerability in the wild. Though the posted advisory only mentions Google Chrome, there are reports that the same vulnerability affects Mozilla's Firefox 3.0.5 as well-though this can be mitigated by using the ClearClick anti-clickjacking feature contained in the NoScript plug-in for Firefox.

Internet Explorer 7 does not seem to be affected by Sood's method.

Further reading

Still, clickjacking has affected all the major browsers. The technique was publicized in 2008 by security researchers Jeremiah Grossman, CTO of WhiteHat Security, and Robert Hansen. If done successfully, clickjacking can trick users into clicking on links without their knowledge and effectively circumvents cross-site request forgery protections that attempt to confirm transactions with the user.

In Sood's proof of concept, available here, users click on what appears to be a link to Yahoo.com, but actually directs them to a site about cross-site scripting. Sood wrote:

"A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers show a set of dummy buttons, then load another page over it in a transparent layer. The user thinks he is clicking the visible buttons, while he/she is actually performing actions on the hidden page.The hidden page may be an authentic page, and therefore the attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page."

While Sood's post focused on Google Chrome, a Google spokesperson was quick to point out that clickjacking is a larger issue that affects all Web browsers.

"The issue is tied to the way the Web and Web pages were designed to work, and there is no simple fix for any particular browser," the spokesperson said. "We are working with other stakeholders to come up with a standardized long-term mitigation approach."

"While it's positive that Microsoft has chosen to do something to safeguard against clickjacking, the new security feature offers very limited protections," Grossman said. "Web site owners can do more to protect their visitors, but unfortunately the average Web citizen still has no way to defend themselves on their own. So most experts will agree the anti-clickjacking feature will do little to stem the near-term risk."

"NoScript has powerful security features that can prevent clickjacking as well as many other Web-based attacks, which also allows users to tune their own level of desired security," he added. "For Internet Explorer, Opera, Google Chrome, etc., they should embed similar features and functionality in their products."

Johnathan Nightingale, a security researcher for Mozilla, said Mozilla's efforts around preventing clickjacking have been more focused on comprehensive solutions like its Content Security Policy proposal and implementing the Origin header to thwart cross-site request forgery attacks.

"We've discussed these publicly with other browser makers and the broader Web security community to ensure that we are helping them prevent the attacks they're concerned about, and to benefit from their experience," Nightingale said. "Changing the way we do security on the Internet needs to be a group effort, and we'd welcome the participation of the IE team in that work."

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.